resource "google_binary_authorization_policy" "<%= ctx[:primary_resource_id] %>" {
  default_admission_rule {
    evaluation_mode         = "REQUIRE_ATTESTATION"
    enforcement_mode        = "ENFORCED_BLOCK_AND_AUDIT_LOG"
    require_attestations_by = [google_binary_authorization_attestor.attestor.name]
  }

  global_policy_evaluation_mode = "ENABLE"
}

resource "google_container_analysis_note" "note" {
  name = "<%= ctx[:vars]["note_name"] %>"
  attestation_authority {
    hint {
      human_readable_name = "My attestor"
    }
  }
}

resource "google_binary_authorization_attestor" "attestor" {
  name = "<%= ctx[:vars]["attestor_name"] %>"
  attestation_authority_note {
    note_reference = google_container_analysis_note.note.name
  }
}
